Changes in postlfs/security/iptables.xml [da54a62:92d18a9]
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/iptables.xml
rda54a62 r92d18a9 7 7 <!ENTITY iptables-download-http "http://www.netfilter.org/projects/iptables/files/iptables-&iptables-version;.tar.bz2"> 8 8 <!ENTITY iptables-download-ftp "ftp://ftp.netfilter.org/pub/iptables/iptables-&iptables-version;.tar.bz2"> 9 <!ENTITY iptables-md5sum " 602ba7e937c72fbb7b1c2b71c3b0004b">10 <!ENTITY iptables-size "70 4KB">11 <!ENTITY iptables-buildsize " 22MB">12 <!ENTITY iptables-time "0. 1SBU">9 <!ENTITY iptables-md5sum "bc0f0adccc93c09dc5b7507ccba93148"> 10 <!ENTITY iptables-size "700 KB"> 11 <!ENTITY iptables-buildsize "17 MB"> 12 <!ENTITY iptables-time "0.2 SBU"> 13 13 ]> 14 14 … … 17 17 18 18 <sect1info> 19 <othername>$LastChangedBy$</othername> 19 20 <date>$Date$</date> 20 21 </sect1info> … … 31 32 <para> 32 33 <application>iptables</application> is a userspace command line program 33 used to configure theLinux 2.4 and later kernel packet filtering ruleset.34 </para> 35 36 &lfs1 10a_checked;34 used to configure Linux 2.4 and later kernel packet filtering ruleset. 35 </para> 36 37 &lfs10_checked; 37 38 38 39 <bridgehead renderas="sect3">Package Information</bridgehead> … … 77 78 <xref linkend="libpcap"/> (required for nfsypproxy support), 78 79 <ulink url="https://github.com/tadamdam/bpf-utils">bpf-utils</ulink> 79 (required for Berkel ey Packet Filter support),80 (required for Berkely Packet Filter support), 80 81 <ulink url="https://netfilter.org/projects/libnfnetlink/">libnfnetlink</ulink> 81 82 (required for connlabel support), 82 <ulink url="https://netfilter.org/projects/libnetfilter_conntrack/">libnetfilter_conntrack </ulink>83 (required for connlabel support) , and83 <ulink url="https://netfilter.org/projects/libnetfilter_conntrack/">libnetfilter_conntrack"</ulink>, and 84 (required for connlabel support) 84 85 <ulink url="https://netfilter.org/projects/nftables/">nftables</ulink> 85 86 </para> … … 148 149 149 150 <screen><userinput>./configure --prefix=/usr \ 151 --sbindir=/sbin \ 150 152 --disable-nftables \ 151 --enable-libipq && 153 --enable-libipq \ 154 --with-xtlibdir=/lib/xtables && 152 155 make</userinput></screen> 153 156 … … 165 168 </para> 166 169 167 <screen role="root"><userinput>make install</userinput></screen> 170 <screen role="root"><userinput>make install && 171 ln -sfv ../../sbin/xtables-legacy-multi /usr/bin/iptables-xml && 172 173 for file in ip4tc ip6tc ipq xtables 174 do 175 mv -v /usr/lib/lib${file}.so.* /lib && 176 ln -sfv ../../lib/$(readlink /usr/lib/lib${file}.so) /usr/lib/lib${file}.so 177 done</userinput></screen> 168 178 169 179 </sect2> … … 174 184 <para> 175 185 <parameter>--disable-nftables</parameter>: This switch disables building 176 nftables compat ibility. <!--Omit this switch if you have installed186 nftables compat. <!--Omit this switch if you have installed 177 187 <xref linkend="nftables"/>.--> 178 188 </para> … … 185 195 186 196 <para> 197 <parameter>--with-xtlibdir=/lib/xtables</parameter>: Ensure all 198 <application>iptables</application> modules are installed in the 199 <filename class="directory">/lib/xtables</filename> directory. 200 </para> 201 202 <para> 187 203 <option>--enable-nfsynproxy</option>: This switch enables installation 188 204 of <application>nfsynproxy</application> SYNPROXY configuration tool. 205 </para> 206 207 <para> 208 <command>ln -sfv ../../sbin/xtables-legacy-multi /usr/bin/iptables-xml</command>: 209 Ensure the symbolic link for <command>iptables-xml</command> is relative. 189 210 </para> 190 211 … … 220 241 <para> 221 242 A Personal Firewall is designed to let you access all the 222 services offered on the Internet while keeping your computersecure and243 services offered on the Internet, but keep your box secure and 223 244 your data private. 224 245 </para> … … 229 250 url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html"> 230 251 Linux 2.4 Packet Filtering HOWTO</ulink>. It is still applicable 231 to the Linux 5.x kernels.252 to the Linux 3.x kernels. 232 253 </para> 233 254 … … 301 322 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 302 323 303 # Log everything else. 324 # Log everything else. What's Windows' latest exploitable vulnerability? 304 325 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " 305 326 … … 379 400 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 380 401 381 # Log everything else. 402 # Log everything else. What's Windows' latest exploitable vulnerability? 382 403 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " 383 404 … … 413 434 414 435 <para> 415 A Network Firewall has two interfaces, one connected to an436 A network Firewall has two interfaces, one connected to an 416 437 intranet, in this example <emphasis role="strong">LAN1</emphasis>, 417 438 and one connected to the Internet, here <emphasis 418 439 role="strong">WAN1</emphasis>. To provide the maximum security 419 440 for the firewall itself, make sure that there are no unnecessary 420 servers running on it such as <application>X11</application> .441 servers running on it such as <application>X11</application> et al. 421 442 As a general principle, the firewall itself should not access 422 443 any untrusted service (think of a remote server giving answers that … … 439 460 echo "You can find additional information" 440 461 echo "about firewalls in Chapter 4 of the BLFS book." 441 echo "http s://www.&lfs-domainname;/blfs"462 echo "http://www.&lfs-domainname;/blfs" 442 463 echo 443 464 … … 735 756 </listitem> 736 757 <listitem> 737 <para id='fw-BB-4-ipt' xreflabel="BusyBox with iptable sexample number 4">758 <para id='fw-BB-4-ipt' xreflabel="BusyBox with iptable example number 4"> 738 759 If you are frequently accessing FTP servers or enjoy chatting, you 739 760 might notice delays because some implementations of these daemons … … 853 874 <seglistitem> 854 875 <seg> 855 ip6tables, 856 ip6tables-apply, 857 ip6tables-legacy, 858 ip6tables-legacy-restore, 859 ip6tables-legacy-save, 860 ip6tables-restore, 861 ip6tables-save, 862 iptables, 863 iptables-apply, 864 iptables-legacy, 865 iptables-legacy-restore, 866 iptables-legacy-apply, 867 iptables-restore, 868 iptables-save, 869 iptables-xml, 870 nfsynproxy (optional), 871 and xtables-multi 876 ip6tables, ip6tables-restore, ip6tables-save, iptables, iptables-restore, 877 iptables-save, iptables-xml, nfsynproxy (optional) and xtables-multi 872 878 </seg> 873 879 <seg> 874 libip4tc.so, 875 libip6tc.so, 876 libipq.so, 877 libiptc.so, 878 and libxtables.so 880 libip4tc.so, libip6tc.so, libipq.so, libiptc.so, and libxtables.so 879 881 </seg> 880 882 <seg> 881 /lib/xtables and 882 /usr/include/libiptc 883 /lib/xtables and /usr/include/libiptc 883 884 </seg> 884 885 </seglistitem> … … 895 896 <para> 896 897 is used to set up, maintain, and inspect the tables of 897 IP packet filter rules in the Linux kernel 898 IP packet filter rules in the Linux kernel. 898 899 </para> 899 900 <indexterm zone="iptables iptables-prog"> … … 903 904 </varlistentry> 904 905 905 <varlistentry id="iptables-apply">906 <term><command>iptables-apply</command></term>907 <listitem>908 <para>909 is a safer way to update iptables remotely910 </para>911 <indexterm zone="iptables iptables-apply">912 <primary sortas="b-iptables-apply">iptables-apply</primary>913 </indexterm>914 </listitem>915 </varlistentry>916 917 <varlistentry id="iptables-legacy">918 <term><command>iptables-legacy</command></term>919 <listitem>920 <para>921 is used to interact with iptables using the legacy command set922 </para>923 <indexterm zone="iptables iptables-legacy">924 <primary sortas="b-iptables-legacy">iptables-legacy</primary>925 </indexterm>926 </listitem>927 </varlistentry>928 929 <varlistentry id="iptables-legacy-restore">930 <term><command>iptables-legacy-restore</command></term>931 <listitem>932 <para>933 is used to restore a set of legacy iptables rules934 </para>935 <indexterm zone="iptables iptables-legacy-restore">936 <primary sortas="b-iptables-legacy-restore">iptables-legacy-restore</primary>937 </indexterm>938 </listitem>939 </varlistentry>940 941 <varlistentry id="iptables-legacy-save">942 <term><command>iptables-legacy-save</command></term>943 <listitem>944 <para>945 is used to save a set of legacy iptables rules946 </para>947 <indexterm zone="iptables iptables-legacy-save">948 <primary sortas="b-iptables-legacy-save">iptables-legacy-save</primary>949 </indexterm>950 </listitem>951 </varlistentry>952 953 906 <varlistentry id="iptables-restore"> 954 907 <term><command>iptables-restore</command></term> … … 957 910 is used to restore IP Tables from data specified on 958 911 STDIN. Use I/O redirection provided by your 959 shell to read from a file 912 shell to read from a file. 960 913 </para> 961 914 <indexterm zone="iptables iptables-restore"> … … 971 924 is used to dump the contents of an IP Table in easily 972 925 parseable format to STDOUT. Use I/O-redirection 973 provided by your shell to write to a file 926 provided by your shell to write to a file. 974 927 </para> 975 928 <indexterm zone="iptables iptables-save"> … … 986 939 <command>iptables-save</command> to an XML format. Using the 987 940 <filename>iptables.xslt</filename> stylesheet converts the XML 988 back to the format of <command>iptables-restore</command> 941 back to the format of <command>iptables-restore</command>. 989 942 </para> 990 943 <indexterm zone="iptables iptables-xml"> … … 999 952 <para> 1000 953 are a set of commands for IPV6 that parallel the iptables 1001 commands above 954 commands above. 1002 955 </para> 1003 956 <indexterm zone="iptables ip6tables"> … … 1013 966 (optional) configuration tool. SYNPROXY target makes handling of 1014 967 large SYN floods possible without the large performance penalties 1015 imposed by the connection tracking in such cases 968 imposed by the connection tracking in such cases. 1016 969 </para> 1017 970 <indexterm zone="iptables nfsynproxy"> … … 1025 978 <listitem> 1026 979 <para> 1027 is a binary that behaves according to the name it is called by 980 is a binary that behaves according to the name it is called by. 1028 981 </para> 1029 982 <indexterm zone="iptables xtables-multi">
Note:
See TracChangeset
for help on using the changeset viewer.